Posts Tagged: Spamit


21
Mar 12

Bredolab Botmaster ‘Birdie’ Still at Large

Employee and financial records leaked from some of the world’s largest sponsors of spam provide new clues about the identity of a previously unknown Russian man believed to have been closely tied to the development and maintenance of “Bredolab,” a massive collection of hacked machines that was disassembled in an international law enforcement sweep in late 2010.

Bredolab grew swiftly after Birdie introduced his load system.

In October 2010, Armenian authorities arrested and imprisoned 27-year-old Georg Avanesov on suspicion of running Bredolab, a botnet that infected an estimated 3 million PCs per month through virus-laden e-mails and booby-trapped Web sites. The arrest resulted from a joint investigation between Armenian police and cyber sleuths in the Netherlands, whose ISPs were home to at least 143 servers that were used to direct the botnet’s activities.

Dutch and Armenian investigators have long suspected that Avanesov worked closely with an infamous Russian botmaster who used the nickname “Birdie,” but so far they have been unable to learn the Russian’s real identity or whereabouts.

“He was a close associate of Gregory A.,” Pim Takkenberg, team leader of the National High Tech Crime Unit in the Netherlands, said of the hacker known as Birdie. “Actually, we were never able to fully identify him.”

According to records leaked from SpamIt — a pharmacy affiliate program that was the victim of a data breach in 2010 — Birdie was an affiliate with SpamIt along with Avanesov. Neither affiliates earned much from SpamIt directly; they both made far more money selling other spammers access to Bredolab.

Birdie was also the nickname of a top member of Spamdot.biz, a now-defunct forum that once counted among its members nearly all of the big names in Spamit, as well as a dozen competing spam affiliate programs. Birdie’s core offering on Spamdot was the “Birdie Load System,” which allowed other members to buy “installs” of their own malware by loading it onto machines already infected with Bredolab.

So successful and popular was the Birdie Load System among Spamdot members that Birdie eventually had to create a customer queuing system, scheduling new loads days or weeks in advance for high volume customers. According to his own postings on Spamdot, Birdie routinely processed at least 50,000 new loads or installs for customers each day.

“Due to the fact that many of my clients very much hate waiting in line, we’ve begun selling access to weekly slots,” Birdie wrote. “If a ‘slot’ is purchased, independently from other customers, the person who purchased the slot is guaranteed service.”

Using Birdie’s Bredolab load system, spammers could easily re-seed their own spam botnets, and could rely upon load systems like this one to rebuild botnets that had been badly damaged from targeted takedowns by anti-spam activists and/or law enforcement. Bredolab also was commonly used to deploy new installations of the ZeuS Trojan, which has been used in countless online banking heists against consumers and businesses.

Below is a translated version of Birdie’s Dec. 2008 post to Spamdot describing the rules, prices and capabilities of his malware loading machine (click the image below twice for an enlarged version of the Spamdot discussion thread from which this translation was taken). Continue reading →


1
Feb 12

Who’s Behind the World’s Largest Spam Botnet?

A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.

Grum is the top spam botnet, according to M86Security

In the summer of 2010, hackers stole and leaked the database for SpamIt and Glavmed, sister programs that paid people to promote fly-by-night online pharmacies. According to that data, the second-most successful affiliate in SpamIt was a member nicknamed “GeRa.” Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

A variety of data indicate that GeRa is the lead hacker behind Grum, a spam botnet that can send more than 18 billion emails a day and is the primary vehicle for more than a third of all junk email.

Hackers bent on undermining SpamIt leaked thousands of chats between SpamIt members and Dmitry Stupin, the co-administrator of the program. The chats show daily communication between GeRa and Stupin; the conversations were usually about setting up new spamming operations or fixing problems with existing infrastructure. In fact, Stupin would remark that GeRa was by far the most bothersome of all the program’s top spammers, telling a fellow SpamIt administrator that, “Neither Docent [Mega-D botmaster] nor Cosma [Rustock botmaster] can compare with him in terms of trouble with hosting providers.”

Several of those chats show GeRa pointing out issues with specific Internet addresses that would later be flagged as control servers for the Grum botnet. For example, in a chat with Stupin on June 11, 2008, GeRa posts a link to the address 206.51.234.136. Then after checking the server, he proceeds to tell Stupin how many infected PCs were phoning home to that address at the time. That same server has long been identified as a Grum controller.

By this time, Grum had grown to such an established threat that it was named in the Top Spam Botnets Exposed paper released by Dell SecureWorks researcher Joe Stewart. On  April 13, 2008 – just five days after Stewart’s analysis was released –  GeRa would post a link to it into a chat with Stupin, saying “Haha, I am also on the list!” Continue reading →


30
Jan 12

Glavmed Sister Program ‘GlavTorg’ to Close

A prominent affiliate program that pays people to promote knockoff luxury goods is closing its doors at the end of January. The program — GlavTorg.com — is run by the same individuals who launched the infamous Glavmed and SpamIt rogue pharmacy operations.

Launched on July 4, 2010 and first announced on the Glavmed pharmacy affiliate forum, GlavTorg marketed sites that sold cheap imitations of high priced goods, such as designer handbags, watches, sunglasses and shoes.

“July 4 – U.S. Independence Day! Now, Russian craftsmen have a reason to celebrate this holiday. And on this occasion, the launch of GlavTorg.com. The all-new niche for all Russian search engine optimization (SEO) masters. Adult has died, online pharmacies are under pressure, and [fake anti-]spyware is dying. It’s time to move into a new direction. FASHION – that’s the trend this year! High demand, myriad of opportunities… Competition is almost non-existent.  High commissions.”

The program apparently was not profitable, or there was a mismatch between supply and demand, because on Dec. 21, 2011, GlavTorg affiliates were told it was being shut down and that they would not be paid after Jan. 31, 2012:

“Dear partners, We would like to inform you that we have decided to close the trade direction replica handbags and clothing. The reasons for this decision and are associated with economic deterioration in the quality of products provided by our suppliers. We believe that any business should be to balance the interests of buyers and sellers, which has recently become disturbed.”

GlavTorg’s failure may have had more to do with pressure from brand owners. In September 2011, handbag maker Chanel filed suit to shutter dozens of sites selling knockoff versions of its products. Among the domains seized and handed over to the company was topbrandclub.com, a primary GlavTorg merchandising site whose home page now bears a warning from Chanel about buying counterfeit goods. Continue reading →


26
Jan 12

Mr. Waledac: The Peter North of Spamming

Microsoft on Monday named a Russian man as allegedly responsible for running the Kelihos botnet, a spam engine that infected an estimated 40,000 PCs. But closely held data seized from a huge spam affiliate program suggests that the driving force behind Kelihos is a different individual who commanded a much larger spam empire, and who is still coordinating spam campaigns for hire.

Kelihos shares a great deal of code with the infamous Waledac botnet, a far more pervasive threat that infected hundreds of thousands of computers and pumped out tens of billions of junk emails promoting shady online pharmacies. Despite the broad base of shared code between the two malware families, Microsoft classifies them as fundamentally different threats. The company used novel legal techniques to seize control over and shutter both botnets, sucker punching Waledac in early 2010 and taking out Kelihos last fall.

On Monday, Microsoft filed papers with a Virginia court stating that Kelihos was operated by Andrey N. Sabelnikov, a St. Petersburg man who once worked at Russian antivirus and security firm Agnitum. But according to the researcher who shared that intelligence with Microsoft — and confidentially with Krebs On Security weeks prior to Microsoft’s announcement — Sabelnikov is likely only a developer of Kelihos.

“It’s the same code with modifications,” said Brett Stone-Gross, a security analyst who came into possession of the Kelihos source code last year and has studied the two malware families extensively.

Rather, Stone-Gross said, the true coordinator of both Kelihos and Waledac is likely another Russian who is well known to anti-spam activists.

WHO IS SEVERA?

A variety of indicators suggest that the person behind Waledac and later Kelihos is a man named “Peter Severa” — known simply as “Severa” on underground forums. For several years running, Severa has featured in the Top 10 worst spammers list published by anti-spam activists at Spamhaus.org (he currently ranks at #5). Spamhaus alleged that Severa was the Russian partner of convicted U.S. pump-and-dump stock spammer Alan Ralsky, and indeed Peter Severa was indicted by the U.S. Justice Department in a related and ongoing spam investigation.

It turns out that the connection between Waledac and Severa is supported by data leaked in 2010 after hackers broke into the servers of pharmacy spam affiliate program SpamIt. The data also include tantalizing clues about Severa’s real identity.

In multiple instances, Severa gives his full name as “Peter North;” Peter Severa translates literally from Russian as “Peter of the North.” (The nickname may be a nod to the porn star Peter North, which would be fitting given that Peter North the spammer promoted shady pharmacies whose main seller was male enhancement drugs).

Spamdot.biz moderator Severa listing prices to rent his Waledac spam botnet.

According to SpamIt records, Severa brought in revenues of $438,000 and earned commissions of $145,000 spamming rogue online pharmacy sites over a 3-year period. He also was a moderator of Spamdot.biz (pictured at right), a vetted-members-only forum that included many of SpamIt’s top earners, as well as successful spammers/malware writers from other affiliate programs such as EvaPharmacy and Mailien.

Severa seems to have made more money renting his botnet to other spammers. For $200, vetted users could hire his botnet to send 1 million pieces of spam; junk email campaigns touting employment/money mule scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.

Spamhaus says Severa’s real name may be Peter Levashov. The information Severa himself provided to SpamIt suggests that Spamhaus’s intelligence is not far off the mark.

Severa had his SpamIt earnings deposited into an account at WebMoney, a virtual currency popular in Russia and Eastern Europe. According to a source that has the ability to look up identity information tied to WebMoney accounts, the account was established in 2001 by someone who entered a WebMoney office and presented the Russian passport #454345544. The passport bore the name of a then 26-year-old from Moscow — Viktor Sergeevich Ivashov.

Continue reading →


5
Jan 12

Pharma Wars: Mr. Srizbi vs. Mr. Cutwail

The previous post in this series introduced the world to “Google,” an alias chosen by the hacker in charge of the Cutwail spam botnet. Google rented his crime machine to members of SpamIt, an organization that paid spammers to promote rogue Internet pharmacy sites. This made Google a top dog, but also a primary target of rival botmasters selling software to SpamIt, particularly the hacker known as “SPM,” the brains behind the infamous Srizbi botnet.

Today’s Pharma Wars entry highlights that turf battle, and features newly discovered clues about the possible identity of the Srizbi botmaster, including his whereabouts and current occupation.

Reactor Mailer Terms of Service, 2005

Srizbi burst onto the malware scene in early 2007, infecting hundreds of thousands of Microsoft Windows computers via exploit kits stitched into hacked and malicious Web sites. SpamIt members could rent access to the collection of hacked machines via a piece of spamware that had been around since 2004, known as “Reactor Mailer.”

This page from archive.org (pictured at right) is a Feb. 2005 snapshot of the terms of service for the Reactor Mailer service, explaining how it worked and its pricing structure. The document is signed by  “SPM,” who claims to be the CEO of a company called Elphisoft. He asks customers and would-be clients to contact him via ICQ instant message ID 360000 (the importance of this number will be apparent later in the story).

That same ICQ number features prominently in dozens of chat logs that apparently belonged to SpamIt co-administrator Dmitry “Saintd” Stupin. The logs were leaked online last year after Russian investigators questioned Stupin as part of an investigation into Igor Gusev, the alleged other co-founder of SpamIt. Facing criminal charges for his alleged part in SpamIt, Gusev chose to shutter the program October 2010, but not before its affiliate database was stolen and also leaked online.

BOTMASTER BATTLE

SPM is introduced to SpamIt in May 2007, when he joins the program with the hopes of becoming the default spam software provider for the pharmacy affiliate program. The chats translated and recorded at this link show SPM’s early communications with SpamIt, in which he brings on board several other affiliates who will help develop and maintain his Reactor/Srizbi botnet.

Very soon after joining SpamIt, SPM identifies Google — the Cutwail botmaster — as his main competitor, and sets off to undermine Google and to become the default spam software provider to SpamIt.

The following is from a chat between SPM and Stupin, recorded Oct. 9, 2007, in which SPM argues that he should be the primary spam software seller for SpamIt, and that his software’s logo should be embedded in the SpamIt banner at the organization’s closely-guarded online user forum.

Continue reading →


1
Jan 12

Pharma Wars: ‘Google,’ the Cutwail Botmaster

Previous stories in my Pharma Wars series have identified top kingpins behind the some of the biggest spam botnets. Today’s post does that and more, including never-before-published information on “Google,” the lead hacker behind the world’s busiest spam botnet — Cutwail.

December 2011 spam stats from M86Security

For many years, Cutwail has been among the top three most prolific spam botnets. With the recent takedown of the Rustock botnet, Cutwail now is the top spam bot; according to M86 Security, versions of Cutwail are responsible for about 22 percent of the daily spam volumes worldwide.

Security researchers have extensively dissected the technical machinery that powers Cutwail (a.k.a. “Pushdo” and “Pandex”), but until now little has been published about the brains behind it. Krebs On Security has learned that the individual principally responsible for developing and renting this crime machine to other miscreants was a top moneymaker for SpamIt, until recently the world’s largest rogue Internet pharmacy affiliate program.

By the time he joined SpamIt in early 2007, the hacker named Google had already spent several years fine-tuning his spam botnet. Just months prior to its closure in Oct. 2010, SpamIt was hacked, and its customer and affiliate data leaked online. The data shows that Google used close to a dozen affiliate accounts at SpamIt, and made nearly $175,000 in commissions advertising SpamIt’s rogue online pharmacies with the help of Cutwail.

But Google would make far more money renting his botnet to other spammers, and SpamIt affiliates quickly became his biggest client base. Interestingly, the proprietors of SpamIt initially asked for Google’s help not to spam rogue pharmacies, but to jump-start a new affiliate program called Warezcash to sell “OEM” software — mostly pirated copies of Microsoft Windows and other high-priced software titles.

That relationship is evident from hundreds of chat logs between Google and SpamIt co-founder Dmitry “Saintd” Stupin. The conversations were part of thousands of hours of logs obtained by Russian cybercrime investigators who examined Stupin’s computer. The chats were later leaked online, and provide a rare glimpse into the day-to-day operations of Cutwail from the botmaster’s perspective. They also provide tantalizing clues as to the real-life identity of Google and his co-workers. Snippets of those conversations appear below, translated from their original Russian into English by native Russian speakers.

THE CUTWAIL MACHINE

Some of the best techical analysis of Cutwail came earlier this year in a paper from researchers at the University of California, Santa Barbara and Ruhr-University Bochum, which described in detail how the Cutwail botnet was operated, rented and promoted on the exclusive SpamIt forums. From their paper (PDF):

“The Cutwail spam engine is known in spam forums by the name 0bulk Psyche Evolution, where it is rented to a community of spam affiliates. These affiliates pay a fee to Cutwail botmasters in order to use their botnet infrastructure. In return, the clients are provided with access to a Web interface (available in Russian or English language) that simplifies the process of creating and managing spam campaigns…”

SpamIt affiliate records show that Google registered with the program using the email address psyche.evolution@gmail.com (according to historical WHOIS records, the domain name psyche-evolution.com was registered in 2005 by that same email address, to an organizations called “0bulk corp.” in Moscow).

In several chats with Stupin, Google describes how he and his pals switched to pharmacy spamming when promoting stocks via spam became less lucrative. In a discussion on Feb. 25, 2007, Google said he was “renting software for spam,” to competing spam affiliate programs “Mailien,” “Bulker,” and “Aff Connection,” and that all of his clients had great success converting traffic into sales. “We have been spamming stocks, however now stocks started converting badly, so we decided to spam in parallel with some affiliate programs. We organized people, gave them tasks to do. We’ve been spamming them for a week only, but I think we’ll do good.”

Continue reading →


5
Dec 11

Chats With Accused ‘Mega-D’ Botnet Owner?

Recently leaked online chat records may provide the closest look yet at a Russian man awaiting trial in Wisconsin on charges of running a cybercrime machine once responsible for sending between 30 to 40 percent of the world’s junk email.

Oleg Nikolaenko

Oleg Y. Nikolaenko, a 24-year-old who’s been dubbed “The King of Spam,” was arrested by authorities in November 2010 as he visited a car show in Las Vegas. The U.S. Justice Department alleges that Nikolaenko, using the online nickname “Docent” earned hundreds of thousands of dollars using his “Mega-D” botnet, which authorities say infected more than half a million PCs and could send over 10 billion spam messages a day. Nikoalenko has pleaded not guilty to the charges, and is slated to appear in court this week for a status conference (PDF) on his case.

The Justice Department alleges that Nikolaenko spammed on behalf of Lance Atkinson and other members of Affking, an affiliate program that marketed fly-by-night online pharmacies and knockoff designer goods. Atkinson told prosecutors that one of his two largest Russian spamming affiliates used the online moniker Docent. He also said that Docent received payment via an ePassporte account under the name “Genbucks_dcent.” FBI agents later learned that the account was registered in Nikolaenko’s name and address in Russia, and that the email address attached to the account was 4docent@gmail.com.

According to my research, Docent also spammed for other rogue pharmacy programs. In fact, it’s hard to find one that didn’t pay him to send spam. In my Pharma Wars series, I’ve detailed how Russian cybercrime investigators probing the operations of the massive GlavMed/SpamIt rogue pharmacy operation seized thousands of chat logs from one of its principal organizers. The chats were later leaked online and to select journalists. Within those records are hundreds of hours of chats between the owners of the pharmacy program and many of the world’s biggest spammers, including dozens with one of its top earners — Docent.

According to the SpamIt records, Docent earned commissions totaling more than $325,000 promoting SpamIt pharmacy sites through spam between 2007 and 2010. The Docent in the SpamIt database also had his earnings sent to the same ePassporte account identified by the FBI. The Docent in the leaked chats never references himself as Nikolaenko, but in several cases he asks SpamIt coordinators to send documents to him at the 4docent@gmail.com address.

The chats between Docent and Stupin show a young man who is ultra-confident in the value and sheer spam-blasting power of his botnet. Below are the first in a series of conversation snippets between Docent and SpamIt co-administrator Dmitry Stupin. Before each is a brief note providing some context.

In the transcript that follows, Stupin tries to woo Docent to join SpamIt. Docent negotiates a much higher commission rate than is usually given to new spamming partners. The typical rate is 30 percent of each sale, but Docent is a known figure in the spamming underground, and argues that his botnet will bring such massive traffic to the SpamIt pharmacies that he deserves a higher 45 or 50 percent cut of the sales. This conversation was recorded on Feb. 1, 2007.

Stupin:  Hello! You have communicated with ICQ 397061228, I am writing regarding your case, Docent.

Docent: Which case?

Stupin:  Do you want to send spam regarding our partnerka [“partnerka” is Russian slang for a mix of private and semi-public affiliate groups that form to facilitate cybercrime activities].

Docent: Which exactly do you mean? I have not yet communicated with this 397061228.

Stupin: Here is the letter which recently came from  you: “It is usual spam,  GI bases, not opt-in. Big volume of emails. I mail a lot of [competing pharmacy] programs, Bulker, Mailien, SRX. I’m a member of most bulk forums. So if you need references, i can provide them. Usual traffic is 2k+ uniques. Also i need bulk-host.”

Docent: Yes, I got it. It’s just nobody IM’d me.

Stupin: ок) What kind of volumes of spam can you deliver? We are soon deploying our own “partnerka” for spam, we just do not have it right now.

Docent: Volumes are huge, 500 million + / day.

Stupin: Wow! Are you not accidentally on [Spamhaus] ROKSO List ?

Docent: Yes, it’s a list of idiots :), with the exception of a couple of people.

Stupin:  We do contract people for our spam campaigns, but only verified people. We are not publicly opened yet.

Continue reading →


17
Nov 11

Pharma Wars: The Price of (in)Justice

I spoke this week at Govcert 2011, a security conference in Rotterdam.  The talk drew heavily on material from my Pharma Wars series, about the alleged proprietors of two competing rogue Internet pharmacies who sought to destroy the others’ reputation and business and ended up succeeding on both counts. Here is the latest installment.

For those who haven’t been following along, I’ve put together a cheat sheet on the main players, the back story and the conflict. Click here to skip this section.

Actors

Pavel Vrublevsky: Co-founder and Former chief executive officer of ChronoPay, until recently a major processor of electronic payments in Russia. Vrublevsky has been accused of running an illegal business, a rogue Internet pharmacy affiliate program called Rx-Promotion, and is currently in prison awaiting trial on unrelated cybercrime charges. Known to business partners as “Red” or “RedEye.”

Igor Gusev: Co-founded ChronoPay with Vrublevsky in 2003. Had a falling out with Vrublevsky in 2005, left ChronoPay and started the Internet pharmacy affiliate programs GlavMed and SpamIt. The latter was closed in Sept. 2010, and Gusev has been charged with running an illegal business. He is still at large.

Dmitry Stupin: Gusev’s right-hand man. Helped to build SpamIt and GlavMed. The logs below are from a set of logs leaked to several download sites that contain thousands of conversations between Stupin and Gusev. The logs were obtained shortly after the police detained Stupin as part of the criminal investigation into Gusev.

Conflict: Two former business partners-turned-competitors try to sabotage each others’ business and to get the other arrested.

The Conversation

The conversation below takes place between Feb. 21 and 23, 2010, and is a chat log between Gusev and Stupin. Gusev already knows there are plans to file criminal charges against him, which indeed come just seven months after this conversation was recorded. The two are discussing plans to pay more than $1.5 million to politicians and law enforcement to obtain a criminal prosecution of Vrublevsky.

Several attendees at Govcert 2011 asked about the likelihood of Vrublevsky serving time, if convicted. This chat may provide a clue. In the middle of the following conversation, Gusev says he has secured promises that if arrested, Vrublevsky “would remain in prison and would not be able to pay his way out,” Gusev wrote. “He is going to lose a large portion of his business and will be left with no money to fight the war.”

Continue reading →


10
Nov 11

Rove Digital Was Core ChronoPay Shareholder

Rove Digital, the company run by six men who were arrested in Estonia this week for allegedly infecting four million PCs worldwide with malware, was an early investor in ChronoPay, a major Russian payment processing firm whose principal founder Pavel Vrublevsky also is now in prison and awaiting trial on cyber crime charges, KrebsOnSecurity has learned.

Estonian authorities on Tuesday arrested Rove Digital founder Vladimir Tsastsin, 31, along with five other Estonian nationals indicted on charges of running a sophisticated click fraud scheme. Yesterday’s blog post details Tsastsin’s criminal history, and his stewardship over Rove and a sister firm, EstDomains.. Today’s post will reveal how Tsastsin and his company were closely allied with and early investors in ChronoPay, and how that relationship unraveled over the years.

In my Pharma War series, I’ve published incorporation documents showing that Igor Gusev, a man currently wanted in Russia on criminal charges of running an illegal business in the notorious pharmacy spam affiliate programs GlavMed and SpamIt, was a co-founder of ChronoPay back in 2003. That series also details how Gusev sold his shares in ChronoPay, and that Vrublevsky later started a competing rogue pharmacy/spam operation called Rx-Promotion.

A spreadsheet showing front companies tied to ChronoPay.

It turns out that ChronoPay also had two other major and early investors: Rove Digital and a mysterious entity called Crossfront Limited. This information was included in the massive trove of internal ChronoPay emails and documents that was briefly published online last year and shared with select journalists and law enforcement agencies. Among those documents is a spreadsheet (XLS) listing all of the various shadowy companies allegedly owned and managed by ChronoPay founder Pavel Vrublevsky and associates. It lists ChronoPay B.V., the legal entity in The Netherlands that formed the initial basis of the company, as jointly owned by Gusev’s firm DPNet B.V., Red & Partners (Vrublevsky’s adult Webmaster provider) and Rove Digital OU.

When I met with Vrublevsky at his offices in Moscow in February of this year, he confirmed that Tsastsin was an old friend and that Rove Digital had been a key shareholder in the company. Further evidence of the connection between ChronoPay and Rove Digital is provided in a series of internal ChronoPay emails from May 2010.

At that time, ChronoPay was under investigation by Dutch banking regulators who suspected that the company’s intricate network of front companies and financial channels were acting in violation of the country’s anti-money laundering laws. In a tersely-worded email exchange, the Dutch bank  demanded a slew of additional accounting and administrative records, including “all documents that show the structure of ChronoPay BV, such as statutes, incorporation documents, names and addresses of director(s) and shareholders.”

Continue reading →


1
Nov 11

Jailed ChronoPay Co-Founder Denied Bail

A Moscow court on Monday denied bail for Pavel Vrublevsky, a Russian businessman who was charged earlier this year with hiring hackers to launch costly online attacks against his rivals. The denial came even after Vrublevsky apparently admitted his role in the attacks, according to Russian news outlets.

Vrublevsky in 2004

Vrublevsky, 32, is probably best known as the co-founder of ChronoPay, a large online payment processor in Russia. He was arrested in June after Russian investigators secured the confession of a man who said he was hired by Vrublevsky to launch a debilitating cyber attack against Assist, a top ChronoPay competitor. The former ChronoPay executive reportedly wanted to sideline rival payment processing firms who were competing for a lucrative contract to process payments for Aeroflot, Russia’s largest airline. Aeroflot’s processing systems faltered for several days in the face of the attack, an outage that Aeroflot says cost the company about a million dollars a day.

Vrublevsky’s lawyers asked the court to release him pending a trial in December — offering to pay 30 million rubles (~ USD $1 million) — but the court denied the request.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay last year indicate Vrublevsky co-ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

Vrublevsky and Gusev have been locked in an increasingly heated and public battle to ruin the others’ business, a saga that I have chronicled in an ongoing series: Pharma Wars.

Continue reading →